120 Compromised Ad Servers Target Millions of Internet Users, Mobile Devices

Tag Barnakle Compromised 120 Ad Servers, Targeted Millions of Users, Mobile Devices

An ongoing malvertising campaign tracked as “Tag Barnakle” is now targeting mobile users, a researcher finds.

A security researcher Eliya Stein of Confiant estimated that Tag Barnakle has been linked to over 120 breaches of ad servers over the past year. 

In this malvertising campaign, attackers inject malicious code into ad servers with the goal of serving fake ads that redirect users to rogue websites to target them with scams and malware.

Unlike other operators who try to buy space on legitimate websites for running the malicious ads, Tag Barnakle can “bypass this initial hurdle completely by going straight for the jugular — mass compromise of ad serving infrastructure,” said Stein in a Monday post.

In April 2020, Confiant reported that the Tag Barnakle actors have compromised nearly 60 ad servers, most of the infections happened to an open-source advertising server Revive.

In the latest round of attacks, the campaign operators have upgraded their tools to target mobile devices as well, the researcher believes. 

“Tag Barnakle is now pushing mobile targeted campaigns, whereas last year they were happy to take on desktop traffic,” Stein said.

Specifically, when certain checks are satisfied, the websites that receive an ad carries out client-side fingerprinting to deliver a second-stage JavaScript payload — click tracker ads, Stein explained. Ads then redirect users to fake websites and tries to redirect them to an app store page for rogue security, safety, or VPN apps. The fake apps come with hidden subscription costs or hijack the traffic for other malicious purposes.

Since Revive is used by a big number of platforms and media companies, Confiant estimates Tag Barnakle has hit “tens if not hundreds of millions of devices.”

“This is a conservative estimate that takes into consideration the fact that they cookie their victims in order to reveal the payload with low frequency, likely to slow down detection of their presence,” Stein said.


Image: TheHackerNews

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.